Domain generation algorithm allows scripts to bypass ad blockers.

Share this story

The rise of drive-by cryptocurrency mining on a growing number of websites has led to a renewed demand for ad-blocking software. Web users are seeking new ways to ward off hidden code that saddles computers with resource-draining coin mining. Now some miners are employing a trick first popularized by botnet software that bypasses ad blocking.

Further Reading

Domain-name algorithms are a software-derived means for creating a nearly unlimited number of unique domain names on a regular basis. DGAs, as they're usually called, came to light in 2008 following the release of the highly viral Conficker worm. To prevent whitehats from seizing the domain names Conficker used to receive command and control instructions, the malware generated hundreds of new, unique domains each day that infected computers would check for updates. In the event that old domains were sinkholed, Conficker needed to reach only one of the new addresses for it to remain under its creator's control. The burden of registering more than 90,000 new domain names every year has proved so great to whitehats that Conficker continues to operate even now.

Researchers at China-based Netlab 360 reported over the weekend that an advertising network is using DGAs to conceal the in-browser currency-mining code it runs on websites. Normally, the ad network will redirect visitor browsers to serve.popad.net, which hosts ads that load coinhive.min.js. That's the JavaScript code that bogs down visitor computers by making them participate in a giant mining pool hosted by coinhive.com, which keeps 30 percent of the proceeds and gives the remainder to the advertiser or website that provided the referral. In most cases, all of this happens behind the scenes with no visible sign of what's happening, with the exception of over-revving fans and decreasing computer performance.

Raising the bar

Computers that run an ad blocker that prevents visiting browsers from accessing the popad.net page, however, will instead be redirected to a seemingly random domain such as "zylokfmgrtzv.com," "zymaevtin.bid," or "zzevmjynoljz.bid." The decoy page then loads JavaScript that has been heavily obfuscated to conceal the mining.

"As early as mid 2017, this ad network provider has been using domain DGA technology to generate seemingly random domains to bypass adblock to ensure that the ads it serves can reach the end users," Netlab 360 researcher Zhang Zaifeng wrote in a blog post published Saturday, referring to a Chrome browser blocking extension called AdBlock. "Starting [in December], the bar got raised again, and we began to see these DGA.popad domains participating in cryptojacking without end-users' acknowledgement."

The researcher went on to say that the number of people being redirected to the algorithmically generated domains appeared to be significant. One domain, arfttojxv.com, was 1,999 in the Alexa website ranking, while vimenhhpqnb.com was 2,011 and ftymjfywuyv.com was 2,071. The websites Netlab 360 found running the DGA-enabled ads were mostly purveyors of porn and other content that's often used as bait in scams.

Strangely, a screenshot provided in the post shows that the algorithmically generated domain eventually calls coin-hive.com. That suggests the DGA technique described works only against ad blockers that don't block that domain. A growing number of ad blockers and anti-malware programs block Coinhive domains.

"To me, this isn't about bypassing Coinhive detection but rather bypassing ad networks by using quickly changing domains," Jérôme Segura, lead malware analyst for Malwarebytes, told Ars. "For Malwarebytes users it doesn't matter because we can block either the ad network or the coinhive call."

Zaifeng said it's not clear how much money the ads have generated to date. Generally, the returns from in-browser mining are small. This post from September reported the results when one very small site experimented with mining as a potential alternative to traditional ads. With roughly 1,000 visits per day and a 55-second average session, the site made 36 cents per day, which was four to five times less than it made running regular ads.

That is why I use whitelists rather then blacklists.It takes a little time to set up each time you visit a webpage for the first time (have to figure out what to allow and what not to) but you are protected from this form of asshatery.

Some sites validly have an ad based revenue system and depend on ads, and if done right, I have no issue. ARS is one of them, so are many news sites. I block using ScriptSafe but the problem is that some of these valid, Ad supported sites have 30 or 40 remote javascript code pulls and I just do not have the time to check them all, and usually the site just does not work, and I give up.

I am paying subscriber here because ARS is so good and want this site to continue, not to get an ad free experience. But the advertising industry has to do better, and sites have to stop attaching 30 or 40 ridiculous remote javascript programs into their pages . . .

Monero is considered shady as fuck even within the cryptocurrency circle. This says a lot.

Tell that to Salon.com

Still trying to figure out what cryptocurrency is good for, besides scams. The feds can seize it, criminals can steal it and your computer can be hijacked to mine it. At least tulip bulbs could be turned into pretty flowers.

I use uMatrix, which is sort of a combo of NoScript and uBlock Origin, by the same author as uBlock (gorhill). It's a very cool utility that lets you explicitly set up permissions however you want. The interface takes some figuring out, it's not real intuitive at first, but it's very powerful once you get it.

At present, I have cookies, css, and image categories whitelisted everywhere. (I then run a cookie manager that throws away everything but a few whitelisted domains when the browser closes.) I blacklist "media", "script", "XHR", "frame", and "other" by default.

This means that any site that uses just cookies, css, and images instantly works. Sites that use more than that need permissions granted, which uMatrix allows on a per-site or per-domain basis. Sometimes this can require reloading a site several times, as I'll grant permissions and reload, only to find that a bunch of new domains have now shown up, requriing further whitelisting and reloading. Once I've figured out how to make a site work, I can save the permissions, so that it'll keep working in the future; for sites I care about, I only have to figure them out once.

Figuring out exactly which domains need to be whitelisted in which categories can sometimes take a minute or two... this is not entirely hassle-free browsing, and there are some sites that just refuse to work at all. Typically, I figure they weren't worth it anyway. (kind of sour grapes, admittedly.) But it's much safer than normal, and should make me immune to this kind of obfuscated coinhive attck.

As an example: for this site, I've granted script, XHR, and frame permissions to the arstechnica.com and arstechnica.net domains, and have saved those permissions, so the site works every time I show up. If they tried to pull in coinhive, whether directly or indirectly, that code just wouldn't run, but the main site would keep working fine.

The DGA domain name problem isn't helped when even reputable sites like Ars are trying to execute code from sites like "yldbt.com" and "zqtk.net" in my browser. Why should I trust any code from a site that attempts to obfuscate what it is trying to run on my computer?

That is why I use whitelists rather then blacklists.It takes a little time to set up each time you visit a webpage for the first time (have to figure out what to allow and what not to) but you are protected from this form of asshatery.

uMatrix is awesome for that. First time you use the site it takes a bit of effort but after that it's easy sailing and most of us frequent reasonably few sites.

Some sites validly have an ad based revenue system and depend on ads, and if done right, I have no issue. ARS is one of them, so are many news sites. I block using ScriptSafe but the problem is that some of these valid, Ad supported sites have 30 or 40 remote javascript code pulls and I just do not have the time to check them all, and usually the site just does not work, and I give up.

I am paying subscriber here because ARS is so good and want this site to continue, not to get an ad free experience. But the advertising industry has to do better, and sites have to stop attaching 30 or 40 ridiculous remote javascript programs into their pages . . .

Be that as it may, all it takes is ONE malicious ad to slip into an ad network and you're screwed. And it happens all ... the ... time. So why wouldn't you simply filter them all out when you don't know what's coming down the pipe? Doesn't mean you have to take it up the ass just because your altruism gets the best of you.

So glad i run a pi-hole on my home network with a lot of the publicly available blocklists. Domains like arfttojxv.com are already listed on at least 3 of the blocklists that I use. And it protects every single device on my network.

So, question. My wife certainly isn't going to use uMatrix because she isn't savvy enough and doesn't want to learn it. I don't say I blame her, it's a bit tricky to understand. Same thing for my friends that aren't savvy.

However, hosts files and DNS binding are within my control and she doesn't have to do anything.

We will never, ever use coinhive.

With the above scenario, would it be best to just block coinhive altogether in my DNS server as well as local hosts files on her devices, even if the .js being used is hosted elsewhere? I'm assuming that at some point the JavaScript call will eventually need to resolve coinhive.com, right? So if coinhive just resolves to localhost, that would theoretically stop most of this nonsense?

So, question. My wife certainly isn't going to use uMatrix because she isn't savvy enough and doesn't want to learn it. I don't say I blame her, it's a bit tricky to understand. Same thing for my friends that aren't savvy.

However, hosts files and DNS binding are within my control and she doesn't have to do anything.

We will never, ever use coinhive.

With the above scenario, would it be best to just block coinhive altogether in my DNS server as well as local hosts files on her devices, even if the .js being used is hosted elsewhere? I'm assuming that at some point the JavaScript call will eventually need to resolve coinhive.com, right? So if coinhive just resolves to localhost, that would theoretically stop most of this nonsense?

ublockorigin might be the easiest solution. Otherwise you need a way to auto update DNS lists as those change constantly.

Unfortunately the best way is, as always, white listing and there is no part of that that is not PITA. Security and ease of use generally don't mix. It's up to you and her to decide how much is each worth.

Why is there no effort from the big content providers (***cough****CondeNast***cough***) to demand a clean ad network? This isn't brain surgery and until content providers band together and crush ad networks that allow this shit we're going to see the ad supported model destroyed by greedy ad networks.

I mean I know subscriptions are preferable from a content providers point of view, but come on, other options are a good thing.

So, question. My wife certainly isn't going to use uMatrix because she isn't savvy enough and doesn't want to learn it. I don't say I blame her, it's a bit tricky to understand. Same thing for my friends that aren't savvy.

However, hosts files and DNS binding are within my control and she doesn't have to do anything.

We will never, ever use coinhive.

With the above scenario, would it be best to just block coinhive altogether in my DNS server as well as local hosts files on her devices, even if the .js being used is hosted elsewhere? I'm assuming that at some point the JavaScript call will eventually need to resolve coinhive.com, right? So if coinhive just resolves to localhost, that would theoretically stop most of this nonsense?

You might want to take a look at pi-hole. It's a full-featured DNS blacklist that's designed to be run on something as small as a Raspberry Pi, but you can run it on virtually any linux system you want. Use it as your local DNS server rather than whatever your ISP provides, and you automatically protect every single device on your network without having to manually edit hostfiles, etc.

Any other adblocker is too weak. Google chrome adblocker as well as Adblock plus allow some ads. No ad can be allowed.

Ads are a 1999 thing. Regardless of malware or not, Stop supporting being solicited without your consent because you let these companies do things like this crypto mining crap

That's hypocritical considering you're posting this on an ad-supported website without being a subscriber.

You know what? I would prefer to support Ars through ads. I really don't want to manage a bunch of subscriptions around the net and ads seem like a reasonable trade-off to me.

The problem is that content providers have sat on the sidelines while ad networks have continually gotten more and more annoying and dangerous to their audience. Between page-blocking ads and autoplay movies suddenly screaming at you and the plethora of malware on offer, ads are currently a complete non-starter for anyone with even a modicum of security awareness. So don't bitch about people blocking ads until the ad networks are cleaned up.

Any other adblocker is too weak. Google chrome adblocker as well as Adblock plus allow some ads. No ad can be allowed.

Ads are a 1999 thing. Regardless of malware or not, Stop supporting being solicited without your consent because you let these companies do things like this crypto mining crap

That's hypocritical considering you're posting this on an ad-supported website without being a subscriber.

You know what? I would prefer to support Ars through ads. I really don't want to manage a bunch of subscriptions around the net and ads seem like a reasonable trade-off to me.

The problem is that content providers have sat on the sidelines while ad networks have continually gotten more and more annoying and dangerous to their audience. Between page-blocking ads and autoplay movies suddenly screaming at you and the plethora of malware on offer, ads are currently a complete non-starter for anyone with even a modicum of security awareness. So don't bitch about people blocking ads until the ad networks are cleaned up.

I'm not bitching about people blocking unreasonable ads. I do that myself. I was replying to the fact that the OP wants to block *all* ads, even the relatively unintrusive and benign ones that Adblock Plus let's through. If we all did that, either most websites wouldn't be sustainable, or we would have to manage a bunch of subscriptions.

Adblock Plus will let through any ads that they are paid to let through. You may consider them trustworthy, I sure don't. It's also a band-aid to the problem and if it fails, you're screwed.

What's needed is an ad network that only allows static HTML. Period. End of sentence. No javascript, no video, no nothing. CondeNast's print publications don't host ads that threaten their users, why should their websites?

Once again, more proof that JavaScript has no place in online ads. If the public understood how dangerous they were, there would be widespread outrage. The problem is that the risk is too complicated for many people to comprehend.

These DGA, how are they paid for etc. Costs me a lot just to keep one .com and a .biz registered, whereas these malicious players get 1000's of domains registered and how much does it cost them.

The hacker only has to buy one of the 1000 per day, the malware tries them all, verified with a crypto handshake. He doesn't care if his domain is revoked when the credit card bill is reversed, it only has to last one day.

So, question. My wife certainly isn't going to use uMatrix because she isn't savvy enough and doesn't want to learn it. I don't say I blame her, it's a bit tricky to understand. Same thing for my friends that aren't savvy.

However, hosts files and DNS binding are within my control and she doesn't have to do anything.

We will never, ever use coinhive.

With the above scenario, would it be best to just block coinhive altogether in my DNS server as well as local hosts files on her devices, even if the .js being used is hosted elsewhere? I'm assuming that at some point the JavaScript call will eventually need to resolve coinhive.com, right? So if coinhive just resolves to localhost, that would theoretically stop most of this nonsense?

I don't think it would. The code being used is specifically designed to bypass that type of counter-measure. It's pointing at oasdifu9wu9q.com instead of coinhive.com.

With the above scenario, would it be best to just block coinhive altogether in my DNS server as well as local hosts files on her devices, even if the .js being used is hosted elsewhere? I'm assuming that at some point the JavaScript call will eventually need to resolve coinhive.com, right? So if coinhive just resolves to localhost, that would theoretically stop most of this nonsense?

Blacklisting a list of things never really works well from a security perspective. In essence, you're trying to enumerate badness, but badness is infinite. Yeah, you can block coinhive, for instance, but the technique in this article is explicitly immune to this kind of blacklisting, because they're creating new domains every day. Badness never ends. There's always more of it.

What you really want is a whitelist approach, where you explicitly disable everything except what you allow. Doing this in hosts is not feasible. Doing it via DNS is possible, but would be *very* painful, and would require constant maintenance. Whitelisting through an addon like uMatrix seems, to me, to be about the only reasonable approach, and it's a shame that it won't work for less technical people.

RE: The hosts question above. What hosts lists do people use? There are a couple I've borrowed plenty from (StevenBlack, MVPS, etc.), but are there better ones out there? How often do you update your hosts file, and is there a way to automate it? (whether for macOS, Windows, or Linux)

Adblock Plus will let through any ads that they are paid to let through. You may consider them trustworthy, I sure don't. It's also a band-aid to the problem and if it fails, you're screwed.

Why do people keep stating this misinformation like it's the gospel? Adblock plus may be configured by default to allow "Acceptable Ads" (their term, not mine, read: paid), but it's easily disabled. I have all ads disabled with Adblock Plus, I don't see any at all.

Combined with Ghostery, the two tools together catch just nearly all ads and trackers that litter the landscape.

In regards to those that say one shouldn't block all ads, I'm of the opposite opinion. Time and time again, the ad networks have shown themselves either unwilling or incapable of dealing with the malware issue. If what it takes is pushing the industry to the edge of collapse before they actually put time and effort into resolving the issue, then so be it. From the ashes will arise a more subdued, humble ad network that actually puts the end users first.

I am wondering if this issue may be self solving. Ad network payout per view have dropped significantly. In addition, ad blocking software is getting more popular. I suspect that the reason that many networks are moving toward pay service is that the ad revenue just will no longer support the site.

Personally, I am moving my site from ad networks to ad we sell directly. It resolves the issue both with problem ad and with ad blockers.

Any other adblocker is too weak. Google chrome adblocker as well as Adblock plus allow some ads. No ad can be allowed.

Ads are a 1999 thing. Regardless of malware or not, Stop supporting being solicited without your consent because you let these companies do things like this crypto mining crap

That's hypocritical considering you're posting this on an ad-supported website without being a subscriber.

You know what? I would prefer to support Ars through ads. I really don't want to manage a bunch of subscriptions around the net and ads seem like a reasonable trade-off to me.

The problem is that content providers have sat on the sidelines while ad networks have continually gotten more and more annoying and dangerous to their audience. Between page-blocking ads and autoplay movies suddenly screaming at you and the plethora of malware on offer, ads are currently a complete non-starter for anyone with even a modicum of security awareness. So don't bitch about people blocking ads until the ad networks are cleaned up.

I hate to say it, but the clients themselves are problematic by demanding whatever grabs attention (in their minds) and having servile sales reps bending to their whims.

I think its more of a cultural problem than just a bunch of "greedy" ad networks.